This system performs anomaly detection on Industrial Control System (ICS) network traffic using machine learning. It extracts network behavior features, detects anomalies, and sends results through MQTT to Elasticsearch for visualization in Kibana.
- Real-time packet capture and analysis
- Machine learning-based anomaly detection using Isolation Forest
- 10 key network behavior features extraction:
- Packet Size
- Inter-arrival Time
- Protocol Type
- Port Number
- Packet Count
- Byte Count
- Flow Duration
- TCP Flags
- TCP Window Size
- Payload Length
- MQTT integration for real-time alerts
- Elasticsearch storage for historical analysis
- Kibana dashboards for visualization
-
Install Python dependencies:
pip install -r requirements.txt
-
Start the infrastructure services:
docker-compose up -d
-
Access Kibana to set up visualizations:
- Open http://localhost:5601 in your browser
- Create an index pattern for "ics_anomalies"
- Create dashboards to visualize:
- Anomaly detection results over time
- Feature distributions
- Alert history
-
Run the anomaly detector:
sudo python ics_anomaly_detector/detector.py
Note: sudo is required for packet capture capabilities
- Anomaly Detector: Uses Isolation Forest algorithm to detect anomalies in network traffic
- MQTT Broker: Handles real-time message publishing of detection results
- Elasticsearch: Stores all detection results and feature data
- Kibana: Provides visualization and analysis interface
-
MQTT messages can be monitored using:
mosquitto_sub -t "ics/anomaly" -v -
Elasticsearch indices can be checked using:
curl http://localhost:9200/_cat/indices
-
View real-time results in Kibana at http://localhost:5601